Sunday, 20 April 2014

Are national data retention laws within the scope of the Charter?

By Steve Peers

Following the annulment of the EU’s data retention Directive by the CJEU, an obvious important question arises: are national data retention laws subject to the same ruling of the Court? The purpose of this post is to set out the reasons why they are.

The starting point for this analysis is Article 51 of the EU’s Charter of Fundamental Rights, which states that the Charter applies to the EU institutions and other EU bodies, but to the EU’s Member States ‘only’ when they are ‘implementing’ EU law. What does that mean?

On the narrowest interpretation, Member States ceased to be implementing EU law on data retention from the moment that the data retention Directive became invalid. After all, from that point, there was no EU data retention law to implement. However, it is arguable that Member States can still be regarded as ‘implementing’ EU law where their national legislation was introduced to implement an EU obligation. It’s a novel point, because it’s rare for the CJEU to annul EU laws on substantive grounds. And where the Court has done so, it has more often annulled only a small part of those EU laws (in the Test-Achats judgment, for instance).

But that is merely an alternative argument that the EU Charter continues to apply to national data retention law. The main argument is based on solidly established case law of the CJEU regarding the scope of EU human rights protection where Member States derogate from EU law.

EU human rights rules and national derogations from EU law

As far back as 1991, the CJEU ruled in the ERT case that where Member States derogate from EU internal market rules, they are still subject to EU human rights obligations (which then took the form only of the EU’s ‘general principles of law’, since the Charter was not yet a gleam in anyone’s eye). This was confirmed in the Familiapress judgment, as regards exceptions from the internal market rules which are based on the CJEU’s ‘rule of reason’ case law, rather than the express exceptions in the Treaties.

Does the Charter take the same approach? While many assumed that the word ‘implementing’ in the text of Article 51 suggested a narrower interpretation than under the prior case law, in its judgment in Fransson the CJEU stated that its prior case law regarding the scope of the general principles applied equally to the Charter. While that judgment did not concern derogations from EU law, the CJEU should shortly be ruling on this point in the case of Pfleger (judgment due 30th April), where the Advocate-General’s opinion assumes as much. Pending the possible confirmation in that judgment, it should be assumed for the time being that the Charter does indeed apply to national derogations from EU law, given that the CJEU made no distinction in Fransson as regards the aspects of its prior case law which were still applicable.

In any event, even if the Charter does not apply to national derogations from EU law, the general principles still do, given that they have a continued existence independent from the Charter in Article 6(3) TEU.

Applying the case law

Two further issues arise. First of all, does EU human rights law apply where Member States are not derogating from EU internal market rules in the Treaty, but from other rules of EU law? In principle it should, given that the Treaties list other EU objectives besides the creation of an internal market. Why should EU human rights rules only apply as regards national derogations from EU rules in one particular area of EU law, but not as regards derogations from EU rules in other areas of law?

Anyway, the CJEU has in effect confirmed that Member States are bound by the Charter and the general principles even where the law in question does not concern the internal market. In EP v Council and the subsequent case of Chakroun, the CJEU ruled that national derogations from the EU’s family reunion Directive had to comply with human rights obligations, without suggesting any distinction in this regard between national derogations from EU internal market rules in the Treaty and national derogations from other EU rules set out in EU legislation.

Secondly, is there an EU law rule that Member States are derogating from when they continue to apply national data retention laws? Indeed, there is: Article 15(1) of the EU’s e-privacy Directive specifies that Member States may restrict the rights in that Directive relating to the confidentiality of communications, location and other traffic data and caller identification:

'when such restriction constitutes a necessary, appropriate and proportionate measure within a democratic society to safeguard national security (i.e. State security), defence, public security, and the prevention, investigation, detection and prosecution of criminal offences or of unauthorised use of the electronic communication system, as referred to in Article 13(1) of Directive 95/46/EC. To this end, Member States may, inter alia, adopt legislative measures providing for the retention of data for a limited period justified on the grounds laid down in this paragraph. All the measures referred to in this paragraph shall be in accordance with the general principles of Community law, including those referred to in Article 6(1) and (2) of the Treaty on European Union.'

In fact, the CJEU has ruled repeatedly on the application of the Charter to cases where copyright holders have invoked this clause to justify planned restrictions upon Internet use (see most recently the Telekabel Wienjudgment). There is no reason why the CJEU would not also apply the clause to data retention on crime-fighting grounds, given that the second sentence of Article 15(1) refers expressly to data retention and the first sentence refers expressly to criminal law.

Finally, while some forms of data retention might fall outside the scope of the e-privacy Directive, which in principle applies to telecommunications service providers (not, for instance, to social networks or search engines), those other forms of data retention would anyway fall within the scope of the similar Article 13 of the main data protection Directive, given that they would clearly constitute the processing of personal data within the scope of that Directive. Neither the ‘household exception’ to that Directive nor the exception for processing in the field of criminal law would apply – since the data retention would be taking place in the context of a commercial activity (since the judgment on the legal base of the data retention Directive by analogy).

[Update: see discussion of the later Pfleger judgment here. Two cases on national data retention laws were later referred to the CJEU; see discussion of them here.]

3 comments:

I fully agree, but offer two further remarks (my two cents!):1. Article 15 (1) explicitly requires national data retention measures (for providers of electronic communications services) to "be in accordance with the general principles of Community law, including those referred to in Article 6(1) and (2) of the Treaty on European Union." So the e-Privacy directive itself limits the possible derogations from the principle enshrined in it (data must be erased when it is no longer needed for the purpose of the transmission of a communication). As the directive is of 2002, the reference to "general principles" (including Art 6 TEU) must now be read as also referring to the Charter of Fundamental Rights. 2. The CJEU has already ruled on Article 15(1) of the e-Privacy directive, in Bonnier Audio ( http://curia.europa.eu/juris/document/document_print.jsf?doclang=EN&text=&pageIndex=0&part=1&mode=DOC&docid=121743&occ=first&dir=&cid=30573 ), reiterating what it had held in Promusicae and LSG, that when transposing (ia) Directive 2002/58, it is for the Member States to ensure that they rely on an interpretation of the directive which allows "a fair balance to be struck between the various fundamental rights protected by the European Union legal order." In my view, the judgment in Bonnier Audio already answers your question: even when making use of the possibility for national data retention measures offered by Article 15(1) of the e-Privacy directive, Member States are bound by the Charter.

Thank you this is very perceptive. But I wonder whether Member States could continue to argue legitimately that data retention obligation and other related practices may fall altogether outside the scope of EU competence. In particular, Art 4 (2) TEU which refers to respect for 'essential State fucntions' including law and order and national security ('the sole responsibility of each MS'), and Art 72 TFEU which states that EU area of freedom security and justice 'shall not affect the exercise of the responsibilities incumbent upon MS with regard to the maintenance of law and order and safeguarding national security'. Art 15(1) of Dir 2002/58 reads permissively, rather than prescriptively or proscriptively, stating that MS 'may restrict' (ie apply mandatory data retention) and if so they 'may, inter alia, adopt legislative measures'.

As far as data retention by ISPs for the purpose of police cooperation is concerned, the CJEU already ruled that it falls within the scope of the internal market legal base in the Treaties, so Article 72 TFEU would not apply. Logically it shouldn't matter (as far as the legal base issue is concerned) if the retention is mandatory or optional. Article 4(2) TEU didn't exist then, but it's hard to imagine that the CJEU would have come to a different conclusion if it had. However, I agree that data retention for the purposes of intelligence agencies might arguably fall outside EU competence. Also measures taken by police bodies directly are arguably outside the internal market legal base at least, if the ISPs are not being called upon to take action.